Extensible authentication protocol (EAP) is a general protocol for authentication that supports multiple authentication protocols as an extension to data link layers, such as the point-to-point protocol (PPP) or IEEE 802.1x, for example, without requiring IP, as described, for instance, in the Internet Engineering Task Force (IETF) publication, RFC-3748. EAP is a lock-step protocol that supports exchanges of single data packets. Thus, EAP cannot efficiently transport bulk data.
Many of the authentication methods supported by EAP accomplish authentication through an EAP session characterized by a sequential message conversation in which a multi-step exchange of successive EAP messages occurs between a peer and an authenticating entity (e.g., an authentication server) that terminates the EAP authentication method. EAP assumes ordering guarantees provided by the data link layer, thereby supporting in-order packet delivery and retransmission. Thus, a new request—other than the initial request—cannot be sent before receiving a valid response. A host receiving an EAP packet has three options: act on it, drop it, or forward it.
In some environments, a peer may gain access to the network through a network access server (NAS), to which two or more authentication servers are associated, for example, for redundancy and/or load balancing purposes. Currently, the peer is required to carry out the entire authentication conversation with a single authentication server to successfully negotiate an authentication method and subsequent authentication. That is, EAP sessions typically fail when a mid-conversation EAP packet is terminated at an authentication server that has not been privy to the ongoing EAP conversation. Because the NAS varyingly assigns a path of travel for EAP packets received from the peer, however, it is statistically unlikely that each of the EAP packets in an entire EAP conversation will terminate at the same authentication server; an unlikelihood that increases with the number of EAP packets in a given EAP conversation and with the number of associated authentication servers in a given network.